Check Request Status610-994-7500

Developing Best Practices from OCR Audit Protocols and Issue Resolutions


MRO recently hosted a webinar titled “Developing Best Practices from OCR Audit Protocols and Issue Resolutions” as part of our three-part webinar series on privacy and security. The presentation began with a review of the first webinar in the series, “Lessons Learned from OCR Enforcement Actions.”  This set the stage for the discussion of Best Practices that have resulted from the HIPAA Audit Program and resolution agreements.

Developing Best Practices

Most of us have a sense of what is good practice, but this depends on an organization’s perspective, so it is important to understand and document Best Practices that may be developed in response to an event or situational analysis. (Situational analysis is the review of published privacy or security incidents.)

To become a Best Practice, there needs to be theory and research to base and inform its creation. Reflective practice results in Best Practices, thus why audit programs are needed. Audits incorporate the notion that practice is adjusted following the feedback of the audit/evaluation process.

Part of threading Best Practices into your organization is reviewing the audit evaluations that support and reinforce these stated processes into existing practice. You might find that practice has been updated, but the related policy has not. It is important for policy and practice to correlate. When you find that there is a difference, you must determine what the correct statement is, and update documentation accordingly.

Paramount to success of Best Practices is:

  • They must be proven across a range of circumstances, allowing for critical thinking to be applied to each unique situation.
  • Simplicity is required. If people can’t understand the practice, implementation will not be successful.
  • Make them accessible and available for utilization by sharing them. If there is a lot of new information and/or a complete change in process, then education is critical.

Best Practices Based on OCR Enforcement Actions

During our presentation, we reviewed several HIPAA settlement cases, which resulted in an understanding of Best Practice developed through consideration of known facts. Here are some key lessons learned.

  • Require Business Associate Agreements (BAAs) with any vendor or third party that has access to Protected Health Information (PHI).
  • Conduct a risk assessment, followed by thorough analysis of those findings, which would include a project plan schedule for mitigation and/or re-evaluation to accommodate budgetary limitations.
  • Management of identified risks is paramount, which includes the documentation of all discussions and mitigation efforts.
  • Ensure the workforce is aware of external and internal threats, and escalation of privacy or security events via appropriate reporting channels.
  • Be certain that system patches are applied in a timely manner.
  • Pay careful attention to disposal of information. The case of a facility which failed in this area was highlighted in our presentation.
  • Ensure incident response plans are in place, and maintain overall governance of the program.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 2: Developing Best Practices from OCR Audit Protocols and Issue Resolutions.



Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 2

Read More

Audits vs. Reviews: The Difference between Payer Requests for Medical Documentation

It’s no secret to most HIM professionals that the volume of health plan medical record requests continues to increase significantly. These requests vary in purpose, and there can be some confusion in regard to which are actually audits versus which are reviews, e.g. HEDIS and Risk Adjustment.  Here are some helpful tips for telling the difference.

Telling the Difference between Payer Audits and Reviews

Typically, the purpose of post payment audits is to confirm correct coding and sequencing as billed on the claim to determine if payment was made to the provider correctly; the health plan’s intention is to recoup funds on overpaid claims, which benefits them.

So what is the difference between an audit and a review? HEDIS and Risk Adjustment (Medicare and commercial) reviews do benefit the payers; the main difference is there is no potential negative financial impact to providers.

HEDIS reviews can actually benefit providers during contract negotiations because the HEDIS performance rankings can be used to gauge the quality and effectiveness of different health plans for potential participation with the facility.

With Risk Adjustment reviews, health plans have to prove the needs of the population to CMS so they are able to continue to provide services for higher risk patients, and ultimately pay providers for the care of this population. In both cases, medical records are needed to perform this analysis.

Payer Audit and Review Requests are Chargeable

In 2015, 85 percent of audit and review requests came from third party vendors representing the health plans. Both post payment audit and review requests are typically chargeable to the requesting party, and they are willing to pay due to the importance of collecting the records. It is not uncommon for these vendors to apply pressure to providers to send records by a faux deadline and/or at no cost. A provider’s Release of Information vendor should be able to work directly with these requesters to ensure payment for and timely delivery of records.

To learn about MRO’s Payer Audit and Review solutions, visit the MRO website or visit us at the HFMA ANI convention June 25-28, 2017 in Orlando, Florida – Booth #1150.

Sign Up for Future Blog Posts

Read More

Case Study: Outsourcing Release of Information Increased Efficiency, Reduced Risk and Improved Patient Satisfaction Across One Health System

On June 15, 2017, MRO Area Manager, Kaylin Alexander, RHIA, and MRO client Patsy Raworth, RHIA, Director of HIM, RAC Coordinator and Privacy Officer for Mississippi Baptist Health System, will be co-presenting a session at the MSHIMA annual meeting in Hattiesburg, Mississippi.

The presentation will cover best practices for Release of Information (ROI) and dive into the details of how Mississippi Baptist increased efficiency, reduced risk and improved patient satisfaction across the health system enterprise by moving to an outsourced model for Protected Health Information (PHI) disclosure management.

Outsourcing Yields Benefits for Mississippi Baptist

Mississippi Baptist, a 629-bed healthcare organization, which includes four hospitals and 37 clinics, receives 43,000 ROI requests annually not including walk-in requests. The organization’s Health Information Management (HIM) department, led by Raworth, historically handled all ROI processing in-house.

In 2015, Raworth looked to an outsourced solution with more sophisticated workflows and technology, as well as additional staff resources, to meet the challenges of an evolving HIM space including the rising tide of government and commercial payer audits. She, along with other stakeholders within the healthcare organization, selected to partner with MRO.

By adding MRO staff onsite and utilizing the support teams at our National Service Center, Mississippi Baptist saw a huge improvement in quality and productivity.  Some of the highlights include:

  • MRO handled nearly 5,500 patient and requester calls in 2016.
  • IdentiScan®, MRO’s record integrity application, assisted in preventing 60 improper disclosures in a one year time frame.
  • Potential breach risk lowered from $97,000 annually to just $39.
  • MRO’s tracking capabilities justified payment for $180,000 of inaccurately denied claims.

Learn more at the upcoming MSHIMA meeting, or download MRO’s Mississippi Baptist Health Case Study by completing the form.

Request the Mississippi Baptist Release of Information Case Study

Read More